ccie blog

Spanning-Tree Backbonefast

This is a 6 minute video that talks in detail about how backbone fast works and how it can reduce convergence time with spanning-tree

MPLS VPN

In this lab I’m going to go over the config for an MPLS VPN.

MPLS VPN

Read the rest of this entry »

EIGRP Leak-Map

The leak-map just allows you to advertise a specific prefix within the range of a summary advertisement, as well as the summary itself. We can see in the diagram below that we are advertising the 10.0.0.0/13 network out to R5 & R6, however, we are also advertising the 10.1.0.0/24 network out to R5 using a leak-map.

EIGRP Leak-Map

I’ve configured everything but the leak-map so far. Basically all routers just have EIGRP 100 running & auto-summary disabled. R3 has been configured to summarise 10.0.0.0/13 out to R5 & R6. Below is the current routing tables of both R5 and R6.
Read the rest of this entry »

EIGRP Query Scoping Using Summarisation

I didn’t understand how this worked, so I took a practical example and put it in for testing. In the diagram below on R3 I’ll advertise a summary route to R5 and R6. From there we’ll shutdown interfaces to the 10.1.0.0/24 network, and see how the query scope is limited from this summarisation.

EIGRP Query Scoping Using Summarisation

Read the rest of this entry »

EIGRP Redistribution Problem

I was reading a Cisco 360 article (BRKRST-3330) and spotted a cool problem I’ve not run into with regards to redistribution. In the topology below, R2 is learning the external EIGRP route 34.34.34.0/24, but R1 is not.

EIGRP - Redisribution Problem

Read the rest of this entry »

Does VTP transparent mode relay VTP advertisements or not (All Scenarios Tested)?

Does VTP transparent mode relay VTP advertisements or not (All Scenarios Tested)?

There has been a lot of controversy about the VTP transparent mode switch, on whether or not it relays VTP information. In the Cisco documentation there is a completely incorrect statement that has caused excessive confusion throughout the networking community. This statement is:

  • “In VTP version 1, a VTP transparent switch inspects VTP messages for the domain name and version and forwards a message only if the version and domain name match. Because VTP version 2 supports only one domain, it forwards VTP messages in transparent mode without inspecting the version and domain name.”

Both statements are invalid.  In short; for all scenarios, regardless of VTP version, only the VTP domain names need to match.  The VTP version can be different on the transparent switch, but as long as the domain name is the same, the switch will relay the VTP advertisements as we will see in my testing below. I’m about to use the network below to start my testing. All switches will be put in VTP version 1. Sw1 & Sw3 will be configured as a server, and Sw2 will be configured as transparent mode.

 

Read the rest of this entry »

IPv6 Neighbor Discovery Protocol (NDP)

The NDP was the most confusing thing for me to understand. I think it’s down to the fact that NDP covers a lot of things. For example, when I was learning, I assumed that the neighbor discovery protocol just involved the exchange of neighbor solicitation & neighbor advertisement messages. However, the way router discovery (router solicitation & router advertisements), or Duplicate Address Detection (DAD) works comes down to the neighbor discovery protocol. There’s currently a total of nine main functions of NDP, as listed below (each function is discussed in more detail further down this post):

The Neighbor Discovery Protocol (NDP) is responsible for:

  • Router discovery
  • Prefix discovery
  • Parameter discovery
  • Address Autoconfiguration
  • Address resolution
  • Next-hop determination
  • Neighbor unreachability detection
  • Duplicate address detection
  • Redirect
Read the rest of this entry »

Windows Temporary Address (IPv6)

I’ve been playing with stateless autoconfiguration and couldn’t understand why my Windows 7 PC wasn’t generating a eui-64 address, and appending it to the /64 prefix advertised by my router. After some digging around on the internet, I found out it’s because Windows made some effort to improve your privacy on the internet. Because your mac never changes, your computer is always gonna be the same global IPv6 address. So you’re internet usage can be tracked.

So what happens is Windows generates a random number for the interface & hashes it (this value is stored in a history file). The hashed value is then appended to the /64 prefix from the router, and this is your global unicast address. Once the lifetime of the address expires, it takes that next value in the history file and hashes it again. Again, it appends it to the /64 from the router, and becomes the new IPv6 address.

Here is what my current address looks like.

 

As you can see, there’s no FFFE in the middle of the last 64 bits of that temporary address (which is the address you will be using on the internet). So no EUI-64 conversion is being done. This might be very inconvenient if you’re running a web server because you don’t want to constantly be changing DNS records to point to the new IPv6 address. So to disable this feature, run a cmd prompt and bang in the following commands:

netsh interface ipv6 set global randomizeidentifiers=disabled
netsh interface ipv6 set privacy state=disabled

This enables you to use a static, global eui-64 IPv6 address. My PC’s address now looks like this:

As you can see, the temporary address field has now been removed.

IPv6 Global Unicast Address

These addresses are globally unique. The format is shown below.

Prefix Subnet ID Interface ID
48 Bits 16 Bits 64 Bits

The 16 bits in the subnet field allows you to create 65,536 subnets. You can have 4 times as many host address (the interface ID part of the address) per subnet. Although it’s crazy to have such large subnets, it’s now very clear that the first 48 bits are the prefix, the next 16 bits are the subnet, and the last 64 bits are the hosts. It helps chop out the confusion of VLSM for many new network engineers, because there is now a clear delineation between what is the network address, what is the subnet, and what is the host part of the address.

We can quickly identify a global IPv6 address, by looking whether the address starts with a 2 or 3. If it does, it’s a global address. If not, it ain’t.

The techy way of working this out is by breaking down the first 16 bits of a global IPv6 address, for example 2001::1/64, it would be 2001. If we convert this from hex to binary we get 0010 0000 0000 0001. The first 3 bits of any global IPv6 address always start with 001. So you can see, that a global address is always going to start either a 2 (0010) or a 3 (0011).

 

IPv6 Link Local Addresses

Key points about link-local addresses:

  • Addresses are automatically generated
  • Addresses can be statically configured, using the interface command #ipv6 address fe80::x/64 link-local
  • Not reachable from another link (i.e. not routable)
  • Always start FE80
  • Used as a source address for IPv6 in the neighbor discovery protocol when sending a router advertisement

 

Link local addresses start with FE80/10. The first 10 bits in binary are always 1111  1110  10. The next 54 bits are always zero. So basically, the first 64 bits of link local addresses are always going to be FE80:0000:0000:0000.

The last 64 bits are the 48 bit mac address, with the hex value FFFE (16bits) added in the middle. For example, let’s say the mac is aaaa.aaaa.aaaa. We would write the last 64 bits as aaaa.aaff.feaa.aaaa. This would make the full 128 bit link local address to be:

fe80::aaaa:aaff:feaa:aaaa

However, there is actually one more step you must complete in order to work out the address. Check out the config below.

R5(config)#int fa0/0
R5(config-if)#ipv6 enable
R5(config-if)#end
R5#
R5#sh
*Nov 10 18:55:22.811: %SYS-5-CONFIG_I: Configured from console by console
R5#show ipv6 int fa0/0
FastEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::A8AA:AAFF:FEAA:AAAA
  No Virtual link-local address(es):
  Global unicast address(es):
    2002::1, subnet is 2002::/64
!.... output omitted for brevity
R5#sh int fa0/0 | i Hardware
  Hardware is Gt96k FE, address is aaaa.aaaa.aaaa (bia c47d.4f3b.dbfc)

What happens, is the 7th binary bit of the mac address gets inverted. Converting AA from hex to binary results in 10101010. Notice the 7th bit is normally 1. Well if we change that to a 0, then convert it back to hex, we get A8 (Hex to binary conversion is explained here). So the actual 128 bit address is fe80::a8aa:aaff:feaa:aaaa.